b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n     UNIVERSITIES\xe2\x80\x99 USE OF SOCIAL\n    SECURITY NUMBERS AS STUDENT\n       IDENTIFIERS IN REGION IX\n\n\n    November 2005   A-09-05-15099\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c                                             SOCIAL SECURITY\nMEMORANDUM\n\nDate:   November 30, 2005                                                                           Refer To:\n\nTo:     Peter D. Spencer\n        Regional Commissioner\n         San Francisco\n\nFrom:   Inspector General\n\nSubject: Universities\xe2\x80\x99 Use of Social Security Numbers as Student Identifiers in Region IX\n        (A-09-05-15099)\n\n\n        OBJECTIVE\n        Our objective was to assess universities\xe2\x80\x99 use of Social Security numbers (SSN) as\n        student identifiers and the potential risks associated with such use.\n\n        BACKGROUND\n        Millions of students enroll in educational institutions each year. To assist in this\n        process, many colleges and universities use students\xe2\x80\x99 SSNs as personal identifiers.\n        The American Association of Collegiate Registrars and Admissions Officers found that\n        almost half of member institutions that responded to a 2002 survey used SSNs as the\n        primary student identifier.1 Although no single Federal law regulates overall use and\n        disclosure of SSNs by colleges and universities, the Privacy Act of 1974, the Family\n        Educational Rights and Privacy Act, and the Social Security Act, contain provisions\n        that govern disclosure and use of SSNs. See Appendix A for more information on the\n        specific provisions of these laws.\n\n        We selected two universities2 from each State in Region IX.3 For each university\n        selected, we interviewed university personnel and reviewed school policies and\n        practices for using SSNs. See Appendices B and C for additional details regarding the\n        scope and methodology of our review and a list of universities we contacted,\n\n\n        1\n         Academic Transcripts and Records: Survey of Current Practices, April 2002 Special Report, the\n        American Association of Collegiate Registrars and Admissions Officers.\n        2\n            In this report, we use the term \xe2\x80\x9cuniversities\xe2\x80\x9d to refer to colleges and universities.\n        3\n            Region IX consists of the following four States: Arizona, California, Hawaii, and Nevada.\n\x0cPage 2 \xe2\x80\x93 Peter D. Spencer\n\nrespectively. We are conducting a review in each of the Social Security Administration\xe2\x80\x99s\n(SSA) 10 regions and will issue separate reports to each Regional Commissioner.\n\nRESULTS OF REVIEW\nBased on our interviews with university personnel and reviews of school policies\nand practices, we are concerned about universities\xe2\x80\x99 use of SSNs. We identified a\nnumber of instances in which universities used SSNs as student identifiers or for other\npurposes. Based on prior audit and investigative work, we found that unnecessary\nuse of SSNs increases the potential for unscrupulous individuals to illegitimately gain\naccess to these numbers and misuse them, thus creating SSN integrity issues. Many\nuniversity personnel with whom we spoke shared our concerns and have taken steps\nto reduce SSN use.\n\nUNIVERSITIES\xe2\x80\x99 USE OF SSNs\n\nDespite the increasing threat of identity theft, universities continued to use SSNs for\na variety of purposes. We found that many universities collected students\xe2\x80\x99 SSNs for\nfinancial aid and tax reporting purposes. However, some universities also used the\nSSN for class registration, transcript requests, building access, electronic payment, and\ncomputer log-in.4 Other universities displayed SSNs on student identification cards,\nreply cards, and written examinations. This occurred, in part, because the SSN was\nused as the primary student identifier. Such use is unnecessary and increases the\npotential for fraud and abuse. Specifically, we found:\n\n\xe2\x80\xa2   Three universities used the SSN for access control or electronic payment. Students\n    were assigned a magnetic stripe card (that is, swipe card) that contained their\n    SSN to enter designated areas (such as laboratories or gymnasiums) or initiate\n    transactions (such as making photocopies, checking out books, placing telephone\n    calls, or purchasing meals and snacks).\n\n\xe2\x80\xa2   Three universities accepted students\xe2\x80\x99 SSNs for class registration and transcript\n    requests. Students were allowed to register for classes and request official\n    transcripts in paper and/or electronic format.\n\n\xe2\x80\xa2   Two universities printed the SSN on the student identification cards. In both\n    instances, the SSN was used as the primary student identifier.5 At one university,\n    the entire SSN was printed on the front of the student identification card. At the\n    other university, the last six digits of the SSN were printed.\n\n\n\n4\n  A computer log-in is used to establish communication and initiate interaction with a time-shared\ncomputer or network.\n5\n  At the time of our review, these universities were issuing alternate identification numbers to their\nstudents.\n\x0cPage 3 \xe2\x80\x93 Peter D. Spencer\n\n\xe2\x80\xa2    Two universities accepted students\xe2\x80\x99 SSNs to access computer systems. One\n     university required the SSN to log onto computers, while it was optional at the\n     other university. Since the SSN may be displayed, in whole or in part, on the\n     computer monitor, the risk of disclosure to unauthorized individuals is increased.\n\n\xe2\x80\xa2    One university requested that prospective students provide their SSNs on reply\n     cards used to schedule campus tours or informational meetings. These cards\n     requested that students provide their name, address, telephone number, and other\n     personal information, including SSN. The university plans to revise the reply cards\n     to exclude the SSN.\n\n\xe2\x80\xa2    One university required that students record their SSNs on written examinations that\n     were graded electronically. In such instances, students entered their SSN, which\n     was used as the primary student identifier,6 onto Scantron sheets or Optical Mark\n     Read forms (that is, machine-readable forms).\n\nUNIVERSITIES AND STATES HAVE TAKEN STEPS TO LIMIT SSN USE\n\nSome universities and States have taken steps to limit SSN use. Of the eight\nuniversities selected for review, we found that two still used the SSN as the primary\nstudent identifier. However, both universities were assigning their students\nalternate identification numbers. Another university did not assign specific identification\nnumbers but, in some instances, used the SSN to distinguish between the records of\nstudents with the same name. In addition, five universities did not use the SSN as the\nprimary student identifier. Nevertheless, one of these universities allowed its students\nto use the SSN in lieu of their assigned identification number. Specifically, we found:\n\n\xe2\x80\xa2    One university used the SSN as the primary student identifier for about 69 percent of\n     its students as of April 2005. The university started issuing alternate identification\n     numbers to new students in January 2005. However, for students who were\n     enrolled before this date, the university still used the SSN as the primary identifier\n     unless the student had requested an alternate number. The university plans to issue\n     alternate identification numbers to all students by December 2005.\n\n\xe2\x80\xa2    Another university used the SSN as the primary student identifier for all students as\n     of February 2005. However, at the time of our review, the university had initiated\n     actions to modify its computer system and issue alternate identification numbers to\n     current and prior students. University personnel stated these systems modifications\n     were implemented in August 2005. As a result, the university has discontinued the\n     use of the SSN as the primary student identifier.\n\n\n\n\n6\n    See id.\n\x0cPage 4 \xe2\x80\x93 Peter D. Spencer\n\n\xe2\x80\xa2     One university assigned unique identification numbers to all students but, as\n      an alternative, allowed these students to use their SSN as an identifier. As a\n      result, students could use their SSN (in lieu of their assigned nine-digit number) for\n      identification purposes and to obtain goods and services. The university allowed\n      students to use their SSN as an optional identifier because it was easier to\n      remember than the assigned identification number.\n\nIn addition, both California and Arizona have enacted laws that restrict the use and\ndisclosure of SSNs. California passed legislation that prohibits (1) publicly posting\nor displaying an SSN; (2) printing an SSN on any card required to access products or\nservices; (3) requiring that an individual transmit his or her SSN over the Internet unless\nthe connection is secure or the SSN is encrypted; (4) requiring that an individual use\nhis or her SSN to access an Internet website, unless a password or unique personal\nidentification number or other authentication device is also required; and (5) printing an\nSSN on any item mailed to an individual unless State or Federal law requires that the\nSSN be on the mailed document.7\n\nArizona passed legislation that prohibits those universities under the jurisdiction of the\nArizona Board of Regents from assigning an identification number to faculty, staff, or\nstudents at a university that is identical to the individual\xe2\x80\x99s SSN. The law also prohibits\nthe display of the SSN (or any four or more consecutive numbers of the SSN) on any\nInternet site maintained by the university or other publicly accessible document.8\n\nArizona also passed legislation that prohibits certain disclosures of SSNs to the public\nand the printing of SSNs on any card required for the individual to receive products or\nservices. The law also establishes technical protection requirements for the on-line\ntransmission of SSNs. In addition, the law prohibits, in certain circumstances, the\nprinting of SSNs on mailed materials to residents of Arizona unless required by State\nor Federal law.9\n\nBased on our interviews with university personnel, we found the two universities in\nCalifornia had complied with the applicable State laws to limit the use of SSNs as\nidentifiers. However, one of the two universities in Arizona had not complied with the\napplicable State law that prohibits universities from assigning an identification number\nidentical to the SSN and displaying any four or more numbers of the SSN.10 We found\nthe university had continued to use and display the SSN as a student identifier at the\n\n\n\n7\n  California Civil Code \xc2\xa7\xc2\xa7 1798.85 and 1798.86. The restrictive provisions, in certain situations, do not\nbecome effective until January 1, 2006 or thereafter.\n8\n     Arizona Revised Statutes \xc2\xa7 15-1823.\n9\n  Arizona Revised Statutes \xc2\xa7 44-1373. The restrictive provisions, in certain situations, allow individuals\nand entities to continue their use of SSNs, if such use began prior to January 1, 2005.\n10\n     Arizona Revised Statutes \xc2\xa7 15-1823. This provision of the law became effective on June 30, 2002.\n\x0cPage 5 \xe2\x80\x93 Peter D. Spencer\n\ntime of our review. To comply with the law, the university started issuing alternate\nidentification numbers in January 2005 and plans to complete the process by\nDecember 2005.\n\nPOTENTIAL RISKS ASSOCIATED WITH COLLECTING AND USING SSNs\n\nUniversities\xe2\x80\x99 collection and use of SSNs entail certain risks, including potential identity\ntheft and fraud. Each time an individual discloses his or her SSN, the potential for a\nthief to illegitimately gain access to bank accounts, credit cards, driving records, tax and\nemployment histories, and other private information increases. Of the eight universities\nselected for review, there were incidences of potential SSN misuse at two universities.\nBecause some universities still use the SSN as an identifier, students\xe2\x80\x99 exposure to\nidentity theft and fraud remains. We believe the following examples illustrate students\xe2\x80\x99\nrisk of exposure to such activity.\n\n\xe2\x80\xa2   A student employee at a Nevada university had access to students\xe2\x80\x99 personal\n    information, including names, addresses, and SSNs. The student employee\n    allegedly obtained credit card numbers and fictitious application fees from\n    prospective students, which were used to pay for the student employee\xe2\x80\x99s college\n    expenses. University personnel were unaware of any SSN misuse. The student\n    employee was expelled from the university.\n\n\xe2\x80\xa2   In California, a computer hacker gained access to one of the university\xe2\x80\x99s computer\n    systems that contained the names, addresses, telephone numbers, birth dates, and\n    SSNs of at least 600,000 individuals. The data were used by a researcher working\n    at the university and had been obtained under authorization from a State agency.\n\n\xe2\x80\xa2   A laptop computer owned by a California university was stolen. The computer\n    files contained SSNs and other personal information for about 98,000 individuals,\n    including current, former, and prospective graduate students. The files on the laptop\n    were downloaded by an employee for campus research and had not been\n    encrypted.\n\n\xe2\x80\xa2   California authorities arrested a man suspected of stealing the names and SSNs of\n    150 college students and using that information to obtain credit cards and charge\n    over $200,000 in the students\xe2\x80\x99 names.\n\x0cPage 6 \xe2\x80\x93 Peter D. Spencer\n\nCONCLUSION AND RECOMMENDATIONS\nDespite the potential risks for SSN misuse and identity theft, some universities continue\nusing SSNs as student identifiers or for other purposes. While we recognize SSA\ncannot prohibit universities from using SSNs as student identifiers, we believe SSA can\nhelp reduce potential threats to SSN integrity by encouraging universities to limit SSN\ncollection and use. We also recognize the challenge of educating such a large number\nof educational institutions about unnecessary SSN use. However, given the potential\nthreats to SSN integrity, such a challenge should not discourage SSA from taking steps\nto safeguard SSNs. Accordingly, we recommend that SSA:\n\n1. Coordinate with universities and State/regional educational associations to educate\n   the university community about the potential risks associated with using SSNs.\n\n2. Encourage universities to limit their collection and use of SSNs.\n\n3. Promote the best practices of educational institutions that no longer use SSNs as\n   student identifiers.\n\nAGENCY COMMENTS\nSSA agreed with all of our recommendations. See Appendix D for the text of SSA\xe2\x80\x99s\ncomments.\n\n\n\n\n                                                S\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Federal Laws that Govern Disclosure and Use of the Social Security\n             Number\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Educational Institutions Contacted\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                                    Appendix A\nFederal Laws that Govern Disclosure and Use\nof the Social Security Number\n\nThe following Federal laws establish a general framework for disclosing and using the\nSocial Security number (SSN).\n\nThe Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a; Pub. L. No. 93-579, \xc2\xa7\xc2\xa7 7(a) and 7(b))\n\nThe Privacy Act of 1974 provides that it is unlawful for a State government agency to\ndeny any person a right, benefit, or privilege provided by law based on the individual\xe2\x80\x99s\nrefusal to disclose his/her SSN, unless such disclosure was required to verify the\nindividual\xe2\x80\x99s identity under a statute or regulation in effect before January 1, 1975.\nFurther, under Section 7(b), a State agency requesting that an individual disclose\nhis/her SSN must inform the individual whether the disclosure is voluntary or\nmandatory, by what statutory or other authority the SSN is solicited and what uses\nwill be made of the SSN.\n\nThe Family Educational Rights and Privacy Act (20 U.S.C. \xc2\xa7 1232g; 34 C.F.R. Part 99)\n\nThe Family Educational Rights and Privacy Act (FERPA) protects the privacy of student\neducation records. FERPA applies to those schools that receive funds under an\napplicable program of the U.S. Department of Education. Under FERPA, an\neducational institution must have written permission from the parent or eligible student\nto release any personally identifiable information (which includes SSNs) from a\nstudent\xe2\x80\x99s education record.1 FERPA does, however, provide certain exceptions in\nwhich a school is allowed to disclose records without consent. These exceptions\ninclude disclosure without consent to university personnel internally who have a\nlegitimate educational interest in the information, to officials of institutions where the\nstudent is seeking to enroll/transfer, to parties to whom the student is applying for\nfinancial aid, to the parent of a dependent student, to appropriate parties in compliance\nwith a judicial order or lawfully issued subpoena, or in the event of a health or safety\nemergency.\n\n\n\n\n1\n   FERPA gives parents certain rights with respect to their children\xe2\x80\x99s education records. These rights\ntransfer to the child when the child reaches age 18 or attends an institution of postsecondary education.\nChildren that have been transferred rights are referred to as \xe2\x80\x9celigible students.\xe2\x80\x9d\n\n                                                   A-1\n\x0cThe Social Security Act\n\nThe Social Security Act provides that \xe2\x80\x9c[s]ocial security account numbers and related\nrecords that are obtained or maintained by authorized persons pursuant to any\nprovision of law, enacted on or after October 1, 1990, shall be confidential, and no\nauthorized person shall disclose any such Social Security account number or related\nrecord.\xe2\x80\x9d (42 U.S.C. \xc2\xa7 405(c)(2)(C)(viii)). The Social Security Act also provides that\n\xe2\x80\x9c[w]hoever discloses, uses, or compels the disclosure of the Social Security number of\nany person in violation of the laws of the United States; shall be guilty of a felony\xe2\x80\xa6\xe2\x80\x9d\n(42 U.S.C. \xc2\xa7 408(a)(8)).\n\n\n\n\n                                           A-2\n\x0c                                                                        Appendix B\n\nScope and Methodology\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   interviewed selected university personnel responsible for student\n    admissions/registrations;\n\n\xe2\x80\xa2   reviewed Internet websites of eight colleges and universities we contacted;\n\n\xe2\x80\xa2   reviewed applicable laws and regulations; and\n\n\xe2\x80\xa2   reviewed selected studies, articles, and reports regarding universities\xe2\x80\x99 use of Social\n    Security numbers (SSN) as student identifiers.\n\nWe visited five educational institutions and interviewed personnel at three others to\nlearn more about their policies and practices for using SSNs as student identifiers.\nOur review of internal controls was limited to gaining an understanding of universities\xe2\x80\x99\npolicies over the collection, protection and use or disclosure of SSNs. The Social\nSecurity Administration entity reviewed was the Office of the Deputy Commissioner\nfor Operations. We conducted our audit from February through August 2005 in\naccordance with generally accepted government auditing standards.\n\x0c                                                                          Appendix C\n\nEducational Institutions Contacted\nWe interviewed personnel at eight educational institutions in Region IX. The following\ntable shows the names and locations of these schools as well as their approximate\nstudent enrollments.\n\n                                                                             Student\n                        School                         Location             Enrollment\n\n   1     Arizona State University             Tempe, Arizona                  58,156\n\n   2     University of California, Berkeley   Berkeley, California            31,676\n\n   3     San Francisco State University       San Francisco, California       28,804\n\n   4     University of Nevada, Las Vegas      Las Vegas, Nevada               27,000\n\n   5     Hawaii Pacific University            Honolulu, Hawaii                9,000\n\n   6     Chaminade University                 Honolulu, Hawaii                2,800\n\n   7     Prescott College                     Prescott, Arizona               1,036\n\n   8     University of Southern Nevada        Henderson, Nevada                 300\n\nSource: We determined student enrollment by reviewing university websites.\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                                                      Appendix E\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   James J. Klein, Director, (510) 970-1739\n\n   Jack H. Trudel, Audit Manager, (510) 970-1733\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Regina Finley, Auditor-in-Charge\n\n   James Sippel, Senior Auditor\n\n   Kimberly Beauchamp, Writer-Editor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-09-05-15099.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"